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CREDIT UNION LEAGUE 


CONSUMER DATA INDUSTRY ASSOCIATION 
t'mpowering Economic Opportunity 


April 24, 2019 

TO: Members, Assembly Privacy and Consumer Protection Committee 


SUBJECT: AB 1416 (COOLEY) BUSINESS: COLLECTION AND DISCLOSURES OF CONSUMER 

PERSONAL INFORMATION 

SUPPORT - AS INTRODUCED FEBRUARY 22, 2019 
SCHEDULED FOR HEARING - APRIL 30, 2019 


The California Chamber of Commerce and the listed organizations SUPPORT AB 1416 (Cooley), as 
introduced February 22, 2019, because it ensures that crucial government programs can continue without 
interruption and that businesses can continue protecting consumers against fraud and identity theft, while 
still carrying out the intent of the California Consumer Privacy Act (CCPA). 

Under the CCPA, local governments will face difficulty receiving data services provided by businesses that 
are necessary for the operation of many important programs. Although government entities are not 
considered “Businesses” under the CCPA, they are “third parties” with whom businesses can be prevented 
from selling information pursuant to a consumer opt-out. When a consumer exercises the right to opt-out, 
it prevents a business from selling information to other private companies as well as government entities. 

The CCPA includes a number of exemptions pertaining to a government entity’s use of data. Unfortunately, 
the exemptions do not fully address the relationship between local government and their private partners. 
The definition of “service provider” under the CCPA provides solely for a “business” to process data on 
behalf of another “business,” not for a business to provide data to a government entity. 

Here are just a handful of real-life examples of how local governments use data provided by businesses: 

• Assessing placement options for foster youth with immediate and extended family members, or 
other homes when family reunification is not possible; 

• Collecting overdue child support payments from parents with missing or incorrect information on 
file with the county: 

• Determining the eligibility of Medi-Cal providers to ensure patient safety: 

• Verifying information about public pension recipients or their beneficiaries; and 

• Locating abducted children within the critical 24-hour window of a missing child report. 

AB 1416 will ensure that these important government programs can continue. 

AB 1416 addresses another problem with the CCPA that could harm consumers. The CCPA’s opt-out 
provision also undermines legal compliance activities and efforts by businesses to protect consumers from 
identity theft and to prevent other crimes, like money laundering and human trafficking, because it contains 
no exception for the prevention or investigation of fraud or other illegal activities. If not fixed, this would 
allow bad actors to opt out of services designed to prevent or investigate fraudulent or illegal behavior. 

For example, under the CCPA, a company providing anti-money laundering data services to a bank is not 
directly subject to the bank’s anti-money laundering legal obligations and cannot, therefore, claim a “legal 
compliance exemption.” That same company is also not a “service provider,” which is a business handling 
data at the direction of a business, such as a bank. Instead, the company providing anti-money laundering 
data services is a business putting together a service it then provides to the bank. A service from which bad 
actors can opt out and evade detection if the CCPA is not fixed. 




The CCPA already recognizes part of this problem in the deletion section of the law, which has an 
exemption stating that businesses need not delete data that is necessary to detect security incidents or to 
protect against malicious, deceptive, fraudulent, or illegal activity. AB 1416 ensures that this same type of 
exemption can be applied to the right to opt out of the sale of data for these limited purposes. 

This fix is necessary because other provisions of the CCPA do not address this concern. Although the 
definition of business purpose in the CCPA contains an exemption for “detecting security incidents, 
protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for 
that activity,” there is no provision stating that by having a statutorily defined “business purpose” a business 
may refuse to honor an opt-out request. 

Further, as discussed in the example above, provisions that exempt some data exchanges between a 
“Business” and a “Service Provider” from the definition of “sale” do not address the problem either. 
Companies providing fraud or crime prevention/investigation data services to businesses and governments 
are not “Service Providers” to those customers under the CCPA. A “Service Provider” is an entity that 
receives data from a Business and processes it solely for the Business.^ Instead, companies providing 
fraud or crime prevention/investigation services are selling data they control to another business or 
government agency; they are not only processing the data of the business or government agency. 

Further, the customers to whom fraud or crime prevention/investigation data services are provided often do 
not fall within the CCPA definition of “Business.” Many are government agencies, some are charities, and 
many are smaller businesses not covered by the CCPA. Since these entities are not a “Business” under 
the CCPA, by definition, another entity providing them data cannot be a “Service Provider” as that definition 
requires processing done on behalf of a “Business.” Thus, the fixes offered by AB 1416 are necessary. 

For these and other reasons, we SUPPORT AB 1416. 


Sincerely, 



Sarah Boot 
Policy Advocate 

California Chamber of Commerce 

California Attractions and Parks Association 
California Bankers Association 
California Credit Union League 
California Land Title Association 
CompTIA 

Consumer Data Industry Association 
CTIA 

Electronic Transactions Association 
Entertainment Software Association 
Internet Association 
Symantec 
Tech Net 

cc: Legislative Affairs, Office of the Governor 

Brian Ricks, Office of Assemblymember Ken Cooley 

Ronak Daylami, Assembly Privacy and Consumer Protection Committee 

Paul Dress, Assembly Republican Caucus 


SB:ldl 


^ The CCPA defines “Service Provider” as an entity “ to which the business discloses a consumer’s 
personal information.” 






